We are seeing an increasing number of pieces of ransomware for Android devices. They are adopting new social engineering, communication and encryption techniques such as the use of TOR and advanced encryption algorithms (RSA-1024 and even elliptic curve cryptography). However, the majority of Android cryptolockers are simple enough to be disassembled and used to restore encrypted data.

The presentation will start with an overview of recent Android ransomware as well as the technologies used by them. Then we turn to reverse engineering techniques that can be applied to analyse malicious behaviour. Finally, we will perform a demo showing the process of analysing and patching the cyptolocker. During the demo the following tools and techniques will be addressed: disassembling/assembling using apktool, decompiling a dex file to jar with the dex2jar tool, decompiling a jar file with Java Decompiler to analyse the original Java code, a signing tool to sign the new package, Android SDK and emulator to run the cryptolocker.

Alexander Adamov

Alexander Adamov is a founder of Nioguard Cloud Sandbox Startup with more than ten years' experience in the anti-virus industry working for Kaspersky Lab, Lavasoft and Samsung. Alexander is also a university lecturer developing new courses for EU universities, presenting lectures and trainings that address network security, reverse engineering, and advanced malware analysis. At present he is researching a Ph.D. project related to cyberspace security and malware sandboxing in the cloud.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.